From matthias.klumpp at puri.sm  Wed Apr  3 14:51:21 2019
From: matthias.klumpp at puri.sm (Matthias Klumpp)
Date: Wed, 3 Apr 2019 23:51:21 +0200
Subject: [Security] [Fwd: [SECURITY] [DSA 4404-1] chromium security
	update]
In-Reply-To: <cf4aa45140dd1ae2f43226e9d7f75de67bce490e.camel@puri.sm>
References: <CANTw=MP=NRc1k523jZNZ+-BoCSVK5esvunZrjftmBzo8mdbZXA@mail.gmail.com>
 <cf4aa45140dd1ae2f43226e9d7f75de67bce490e.camel@puri.sm>
Message-ID: <CAKNHny8vt4VUvs1h9ysTAhuSsiFGBVCNCY660J3+_hP6E8kFHQ@mail.gmail.com>

Am Mi., 3. Apr. 2019 um 20:59 Uhr schrieb Jeremiah C. Foster
<jeremiah.foster at puri.sm>:
>
> This security message from Debian I'm forwarding affects PureOS. I can
> see in our repos that we have the fixed (and compromised) version.
> https://repo.pureos.net/pureos/pool/main/c/chromium/
>
> @Matthias -- is there some action we should take to remove the old
> version? apt-cache policy is still saying the old, compromised version
> of chromium will be installed;
>
> apt-cache policy chromium
> chromium:
>   Installed: (none)
>   Candidate: 72.0.3626.109-1
>   Version table:
>      72.0.3626.109-1 500
>         500 https://repo.puri.sm/pureos green/main amd64 Packages
>

$ dak ls chromium
chromium   | 73.0.3683.75-1 | green      | source, amd64, arm64
chromium   | 73.0.3683.75-1 | landing    | source, amd64, arm64
chromium   | 73.0.3683.75-1 | purple     | source, amd64, arm64

So, according to our archive (*the* authoritative source for questions
of which package version is where) this is fixed in PureOS, and for
about 1-2 days already.
It is a bit odd that apt-policy doesn't seem to reflect that - did you
run an apt update before? Maybe there was some other kind of lag
somewhere? (actually hard to tell now)
>From a new debspawn chroot:
root at sirius-green-amd64-yzj3:/srv# apt-cache policy chromium
chromium:
  Installed: (none)
  Candidate: 73.0.3683.75-1
  Version table:
     73.0.3683.75-1 500
        500 https://repo.pureos.net/pureos green/main amd64 Packages

Cheers,
    Matthias


>
> ---------- Forwarded message ----------
> From: Michael Gilbert <mgilbert at debian.org>
> To: debian-security-announce at lists.debian.org
> Cc:
> Bcc:
> Date: Sat, 9 Mar 2019 23:14:35 -0500
> Subject: [SECURITY] [DSA 4404-1] chromium security update
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> - -------------------------------------------------------------------------
> Debian Security Advisory DSA-4404-1                   security at debian.org
> https://www.debian.org/security/                          Michael Gilbert
> March 09, 2019                        https://www.debian.org/security/faq
> - -------------------------------------------------------------------------
>
> Package        : chromium
> CVE ID         : CVE-2019-5786
>
> Clement Lecigne discovered a use-after-free issue in chromium's file
> reader implementation.  A maliciously crafted file could be used to
> remotely execute arbitrary code because of this problem.
>
> This update also fixes a regression introduced in a previous update.  The
> browser would always crash when launched in remote debugging mode.
>
> For the stable distribution (stretch), this problem has been fixed in
> version 72.0.3626.122-1~deb9u1.
>
> We recommend that you upgrade your chromium packages.
>
> For the detailed security status of chromium please refer to
> its security tracker page at:
> https://security-tracker.debian.org/tracker/chromium
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://www.debian.org/security/
>
> Mailing list: debian-security-announce at lists.debian.org
> -----BEGIN PGP SIGNATURE-----
>
> iQQzBAEBCgAdFiEEluhy7ASCBulP9FUWuNayzQLW9HMFAlyEjvYACgkQuNayzQLW
> 9HPz2R//TxP9/mMURq2yCcS9lIXFM42c+YdBZSJK+hA5uRH4UKpycqOyJnpSvCqL
> WfsApfLCKGrMyUmke0ZvV0iIe87WOHU9SpS8Hs6jdRTa2LEhn+2lmU28F3EpqXAB
> 4yipvbAwpoN8j6Ab+hr8T1qBYZfqhTC8iK4tpe6D7JoT4xBf+471CIXhmmWTbOqt
> TpFhjOhOiBT0ZUNR7BcePRhTOUiy/0Nu38fvBPbAnbcVR+M+6QfdbWMbBUyLU1bJ
> 3c3upOLSic/CsuMhH1FXbw8R1Tj+mgNUqO6Sca7EpmuN10Xh8TUft56kClffYl6Q
> Z7dt+TwyyFvvxR5bR7Q/fIw+oV/YgITtSWC7SokyN7so31Kh9DOnHYRzjY9OmhUx
> febodihqFMJ91KLSGMt2KtmdDsYlIp/LuKmmcrKhq4a7k9LfYI50hRCR87bh5frg
> 9ZcO2sdhI3H8Z8ejdbc/IO39aJ/BgG/LxZyx9smQTxK7SO5wt73SN2MtHXlmeqz3
> ReSk4oIZd06kHVk0OsKhwO2lennDWxc+g2UOGYz40k2E3mMdDBN9bD5KXSAmnsxW
> +vOv+tznqLrjgJwCFz+gd14iP65CIQ9qL6zr6yxKFWozSQarZ8qeCbgND0gKBLH3
> O2Epo5kMX8zxZEhR2dmiCefmIf76E+90E1XXv+F32X6rJ41S4ibONF4KKufv26NJ
> ehhPUUFJ03YZdA4cEeL/7T67Bt3dlBY53xhQuVosaMYqwo3Eyv2I6dmUxigjE2wx
> b6q/kJsbYnPjkZ74Pd12JqSTBkvP3enQ4jAj28gpy0pnAQcjtPrygUDNfYV3S++a
> 1LaZx78yoJ9w2jse0erB14SChFpbOvmdGZSe0kr7mchYmr+eik22SpFuwIb/f//X
> 2dbqIKT5OP6QOnT7rsaycIIyIM0D7VhVCRkD4DPx6uimcLTHQjyEJCl1Q0V3Fnif
> OYcl3mM5HYnR0tRefppaWdfhdLe/lPXGTE+ADeGtMORNMuarT0oYsKi7nevtsk/v
> SEW40t1Ed65jZz2kyjJzBqLUiPpj0piL8eIcu+/sVOuPmBKVCVm3gjYGtestTyTf
> 9fWTFc3w2pHFyDDAYDZYyAnweHxzUbOCF2wa8sULpurlLLk53sO39e8YRbJeqeWt
> 1ajic6+3C6DXzqi/rCBJIBK/vgnqNaEJhB2yR4dj0HZuzd8C5kkElEELnbD8KCkd
> ElsvOWikocbDoV0qxCm01KXCnQEpVe79PGJeh/Rkrk3tgftyja0wdzY/TAsTVbLc
> MM/e19sg1o2pvTzydF0YjImhD8pbeSVlzXAtsv3JIf3oxd2yuJP5S+sfyKPPOdS1
> mDynXcm1ch/pLwS65mgSt980E07e9g==
> =sUh4
> -----END PGP SIGNATURE-----
>